CISO Stories Podcast

In this episode, Erika Dean dives into the evolution of attack surface management (ASM) in financial tech. From foundational strategies to future-focused threats, she explores how shifts in the fintech landscape demand deeper organizational awareness, ongoing tabletop exercises, and proactive preparation. This segment is sponsored by Axonius. Visit https://cisostoriespodcast.com/axonius to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-212

Mandy Andress joins our show to discuss leveraging cyber liability insurance for risk reduction. They explore the importance of strong broker relationships and key steps for selecting or renewing a policy—starting with assessing organizational needs. Learn strategies to lower premiums while increasing coverage. Segment Resources: https://www.elastic.co/ This segment is sponsored by Sophos. Visit https://cisostoriespodcast.com/sophos to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-211

In this episode of the CISO Stories Podcast, we're joined by Mike Miller, a seasoned penetration tester and audit and compliance SME, to explore the real-world impact of incident response controls. From technical to managerial and physical safeguards, Mike shares eye-opening stories from the field—including how he once penetrated a network with nothing more than a dozen doughnuts. We dive into the importance of layered security approaches and practical tips for strengthening incident response frameworks. Don't miss this blend of humor, insight, and actionable advice for cybersecurity leaders. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-210

In this episode, we sit down with author and AI expert Rock Lambros to explore the evolving landscape of AI governance. We discuss the risks of AI chatbots, comparing OpenAI and DeepSeek, and examine current and emerging governance frameworks. As AI adoption accelerates, organizations must determine the right guardrails and critical questions to ask. This conversation provides insights into how companies are shaping their AI strategies for a more secure and responsible future. Segment Resources: https://www.youtube.com/@RockOnCyber https://genai.owasp.org https://owaspai.org Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-209

In this episode, we sit down with experienced CISO Gavin Reid to explore the escalating online threats to privacy, focusing on adversaries and companies illicitly scraping website data for profit. We dive into the implications of such unauthorized data collection and its impact on individual and organizational privacy. Reid also shares insights from his team's involvement in dismantling BadBox, a coordinated global attack exploiting connected TV (CTV) devices, highlighting the intersection of cybersecurity and privacy concerns. HUMAN's Satori threat intelligence team has published the following resources on BadBox: https://www.humansecurity.com/company/satori-threat-intelligence/badbox https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box https://www.humansecurity.com/newsroom/human-disrupts-digital-supply-chain-threat-actor-scheme-originating-from-china Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-208

In this episode of CISO Stories, Jess Hoffman and Sheena Thomas explore the challenges of cloud security in higher education. They discuss trust issues with cloud providers, the importance of understanding data sensitivity, and navigating regulatory compliance. Sheena highlights the vulnerabilities educational institutions face, the value of incident response playbooks, and the balance between trust and risk in cloud services. The conversation underscores the need for due diligence, awareness, and collaboration to secure higher education in the cloud era. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-207

Jessica Hoffman and Melina Scotto discuss the evolution of cybersecurity, focusing on cloud security, business responsibilities, and the importance of basic cyber hygiene. They highlight the role of communication, consulting, and integrating security into business operations, concluding with advice for future cybersecurity professionals. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-206

Jess and Adam discuss cloud security challenges for SMBs, emphasizing strategic planning, compliance with regulations like CMMC, and vendor due diligence. They highlight common pitfalls like the illusion of security and inadequate staffing while offering cost-effective solutions like virtual CISOs. Practical tips help SMBs secure their data, navigate legal concerns, and maximize available resources. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-205

In this episode, we dive into the critical role of proper configurations in cloud environments and why misconfigurations remain the leading cause of security breaches. From overly permissive access controls to unencrypted data stores and default credentials left unchanged, we explore real-world examples that adversaries exploit. Learn how organizations can mitigate these risks through proactive monitoring, automated tools, and a culture of security-first thinking. Tune in to uncover actionable insights to keep your cloud infrastructure secure. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Segment Resources: CoGuard CLI (Select cloud resources can be scanned with a free account): https://portal.coguard.io/auth/realms/coguard/protocol/openid-connect/auth?clientid=client-react-frontend&redirecturi=https%3A%2F%2Fportal.coguard.io%2F&state=7cd7e2ac-aa64-497d-8957-f0b8be3e2f8d&responsemode=fragment&responsetype=code&scope=openid&nonce=86649c48-03f3-44c1-9612-560d42e049d9 More info on the CoGuard CLI on Github: https://github.com/coguardio/ Open AI grant: https://openai.com/index/empowering-defenders-through-our-cybersecurity-grant-program/ Open AI research results on Github: https://github.com/coguardio/coguardopenairuleautogeneration_research Securing Multi Cloud Environments - Tips from Nadia's co-founder/CTO - blog: https://www.coguard.io/post/securing-multi-cloud-environments Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-204

Bertrum Carroll dives into the evolution of cloud service adoption, comparing early concerns—like data storage, access, and usage—to current apprehensions about AI. We explore how leadership can empower teams with the right training to harness technology effectively. Learn why understanding the shared responsibilities between providers and customers is critical for cloud security success. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-203

In this episode, we're joined by Tammy Klotz, a 3x CISO in the manufacturing industry, to explore identity security challenges in manufacturing environments. Tammy discusses the differences in access management for frontline workers versus knowledge workers, touching on the unique devices and role-based training requirements. Tune in to learn how tailored security solutions are key to managing access across diverse user groups in industrial settings. This segment is sponsored by CyberArk. Visit https://cisostoriespodcast.com/cyberark to learn more about them! This segment is sponsored by Saviynt. Please visit https://cisostoriespodcast.com/saviynt to learn more and get a free demo! This segment is sponsored by Liminal. Visit https://cisostoriespodcast.com/liminal to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-202

In this episode of CSP, we sit down with Dr. Sean Murphy, the CISO of BECU, one of Seattle's largest credit unions, to discuss the shifts in identity security brought on by the COVID-19 pandemic. Dr. Murphy highlights how Zero Trust architecture became crucial for verifying internal users, especially as remote work became the norm. He shares insights on the unique challenges of securing a remote workforce in the banking sector and underscores the importance of a robust identity security framework in protecting both members and employees in today's evolving threat landscape. This segment is sponsored by CyberArk. Visit https://cisostoriespodcast.com/cyberark to learn more about them! This segment is sponsored by Saviynt. Please visit https://cisostoriespodcast.com/saviynt to learn more and get a free demo! This segment is sponsored by Liminal. Visit https://cisostoriespodcast.com/liminal to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-201

Let's talk about what CISOs look for when hiring identity and access management team members. What training and experience is most attractive for the business and team. This segment is sponsored by CyberArk. Visit https://cisostoriespodcast.com/cyberark to learn more about them! This segment is sponsored by Saviynt. Please visit https://cisostoriespodcast.com/saviynt to learn more and get a free demo! This segment is sponsored by Liminal. Visit https://cisostoriespodcast.com/liminal to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-200

Guessing the answer is yes. Well, let's talk about some of the simple ways you can avoid account compromises by strengthening your identity security through MFA, least privilege, account reviews, and all the things! This segment is sponsored by CyberArk. Visit https://cisostoriespodcast.com/cyberark to learn more about them! This segment is sponsored by Saviynt. Please visit https://cisostoriespodcast.com/saviynt to learn more and get a free demo! This segment is sponsored by Liminal. Visit https://cisostoriespodcast.com/liminal to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-199

Let's talk about how important having a customer success manager, or equivalent, to assist you with your tool integration can make the difference between resource fatigue and success. On top of having solid relationships with our tool vendors, long time CISO Jake Lorz, shares with us how important tool interoperability is, proper governance reviews, and looking at your organization's security strategy when planning for current and future tool selection. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-198

Let's talk to cybersecurity expert, Lalisha Hurt, about her approach to selecting the right tools for your organization by using proven methods such as referencing the Gartner Magic Quadrant, thinking about the entire IT portfolio as part of your selection process, and what a successful 'Vendor Day' can do! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-197

What if there was more to making those impactful decisions that you haven't considered? Let's talk about how being open minded can directly impact the success of tool selection and optimization in your company. Is a SOC report enough or are there other criteria needed to make that risk based decision? Let's discuss cognitive biases in tool selection with researcher Dr. Dustin about why it benefits your organization to be eyes open. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-196

Let's talk to our favorite Tokyo security leader about how she has experienced tool selection across the world. To be risk adverse or not to be risk adverse. What a question! Segment Resources: https://www.youtube.com/watch?v=BdFzJxSemKo Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-195

Hear from expert TimBall, CISO for NGO-ISAC, on his experiences in the industry and how he advises his members on finding the right tool. Especially when it comes to making sure the tool isn't a ‘shiny object' purchase but actually addressing your organizations underlying issues and bringing value! Bonus, let's talk about election security! Segment Resources: https://www.ngoisac.org/ Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-194

Let's talk about how regardless of your organizations data footprint being in the cloud or on prem, or if you're a billion dollar organization or smaller, if the adversaries want in, they will find a way. Don't fall victim because of bad cyber hygiene but instead work your experiences, your leadership, and train your people to limit exposure. Hear from Incident Response expert, Levone Campbell, on the lessons he learned in being proactive and reactive to some of the largest incidents in history. This segment is sponsored by Semperis. To combat today's cyber attacks, enterprises like yours need a way to see the whole picture beyond silos and secure their entire hybrid AD environment. Now you can — with Semperis. Visit https://cisostoriespodcast.com/semperis Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-193

Let's talk about the vCISO's approach to Incident Response advisory with clients; particularly small and medium sized businesses (SMB). How can your cyber liability insurance support your organization outside of when an incident occurs? We will discuss strategies SMBs can take to strengthen their IR plans while keeping in mind their business needs and contingency plans. Segment Resources: https://www.linkedin.com/in/wilklu/ This segment is sponsored by Semperis. To combat today's cyber attacks, enterprises like yours need a way to see the whole picture beyond silos and secure their entire hybrid AD environment. Now you can — with Semperis. Visit https://cisostoriespodcast.com/semperis Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-192

Listen to the importance of legal relationships and interaction with the CISO and security program. Jess and Joe talk about the need for legal to understand the security team's day to day and also what incident response means to your organization. Bringing your legal reps into the folds when a breach happens is too late! Work as a team early to make sure all parties are knowledgeable and ready to act without time wasted. This segment is sponsored by Semperis. To combat today's cyber attacks, enterprises like yours need a way to see the whole picture beyond silos and secure their entire hybrid AD environment. Now you can — with Semperis. Visit https://cisostoriespodcast.com/semperis Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-191

Todd Fitzgerald will be moving on from the CISO STORIES podcast after 185+ episodes, which was initiated almost 4 years ago following the publication of the #1 Best-Selling CISO COMPASS book, which has guided 1000's of emerging, current, experienced, and new CISOs and their teams in their journey to protect our organizations' and nation's information assets through a structured, business-oriented roadmap. Over 75 CISO and industry leader contributors to the book had their ‘grey boxes' come to life in their own voice through this podcast. Since then, many esteemed CISOs have been on the invitation-only podcast to share practical, pragmatic experiences on timely, relevant issues. We learn from each other, and it is an honor to interview such top-notch CISOs. Join us as Todd shares his view of the evolution of the CISO role and where it is going. Todd will also share some of the memorable moments and messages from producing the podcast. This segment is sponsored by Semperis. To combat today's cyber attacks, enterprises like yours need a way to see the whole picture beyond silos and secure their entire hybrid AD environment. Now you can — with Semperis. Visit https://cisostoriespodcast.com/semperis Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-190

Vulnerabilities are the ‘front doors' for attackers to infiltrate our systems and a key process organizations must get right into order to protect our systems and information assets. Join us as we discuss vulnerability management, identification of assets, prioritization, threat intelligence, leveraging tools, desired vulnerability product features, business impact and vulnerability measurement timing. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-189

Rapid advancement in the sophistication and availability of "deepfake" technology enabled by generative AI - the ability to generate convincing multimedia and interactive representations indistinguishable from the real thing - presents new and growing challenges for CISOs seeking to combat fraud, intrusion, disinformation, and other adverse consequences of social engineering. CISOs will need to maintain enhanced understanding of deepfake technology to craft and manage effective controls - yet some of the most effective controls may be surprisingly low-cost and low-tech. This podcast will examine the state of practice for deepfake generation and distribution and discuss effective countermeasures and controls for common threat typologies. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-188

Managing vulnerabilities is a large, complex problem that can't be completely fixed. And still, many cybersecurity organizations continue with a traditional approach that attempts to address all vulnerabilities, spreading staff too thin and increasing exploitation windows. With a small set of vulnerabilities being the cause of most of the breaching, taking a focused approach can have a significant impact on reducing the risk of successful cyber attacks. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-187

Join us as we discuss how critically important it is for a CISO to establish, maintain, and frequently leverage in informal network. With almost daily changes in the threat landscape across all industries, it's critical to have informal but trusted resources to rely on for advice, information, and just overall "sounding board" opportunities. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-186

Join us as we discuss the organization's GRC program and how GRC helps drive the business of information security from internal and external perspectives to integrate security into the culture, while maintaining compliance with regulations imposed for insurance and public companies. Segment Resources: Webcast: https://www.scmagazine.com/cybercast/the-regulatory-landscape-in-2030-what-you-need-to-know Podcast (Enterprise Security Weekly): https://www.scmagazine.com/podcast-segment/11416-the-rise-of-regops-the-need-for-compliance-automation-travis-howerton-esw-313 News/interview: https://www.scmagazine.com/news/generative-ai-not-just-revolutionary-but-evolutionary This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-185

CISOs need to enhance their strategic influence and operational impact within their organizations. This calls for a departure from traditional, insular security approaches towards a partnership model that aligns security initiatives with business growth and value. By adopting an attitude of listening, humility, and interdisciplinary collaboration, CISOs can transcend fear-based justifications for investment and instead, demonstrate how robust cyber security measures contribute to the overall health and success of the business. Such an evolution in the CISO role is essential for building resilient, forward-looking organizations that view security as a cornerstone of their strategic endeavors. In the combined context of Resilience and Reputation and Trust, CISOs must orchestrate a delicate balance between robust defensive measures and the cultivation of a strong, trustworthy brand. At this juncture, resilience becomes more than just a technical safeguard; it is about ensuring the continuity and reliability that stakeholders have come to expect. This reliability directly feeds into the organization's reputation, setting the stage for trust to be the cornerstone of all engagements—internal and external. The journey from a reactive security posture to one that is proactive and business-aligned requires that CISOs embed security consciousness into the corporate DNA. As they reach these advanced stages, CISOs transform their roles from protectors to strategic enablers, guiding their organizations through the digital landscape with a clear vision for safeguarding and enhancing both operational fortitude and brand integrity. Security thus becomes an integral part of the value proposition, fostering trust and loyalty among customers, and cementing the organization's reputation as a leader in responsible business practices in the digital age. Segment Resources: Webcast: https://www.scmagazine.com/cybercast/the-regulatory-landscape-in-2030-what-you-need-to-know Podcast (Enterprise Security Weekly): https://www.scmagazine.com/podcast-segment/11416-the-rise-of-regops-the-need-for-compliance-automation-travis-howerton-esw-313 News/interview: https://www.scmagazine.com/news/generative-ai-not-just-revolutionary-but-evolutionary This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-184

With the vast number of cybersecurity solutions in the marketplace, how do you identify what fits with your company's strategic goals, then deploy and scale in a reasonable timeframe? Hear a CISO who has built a methodology for assessing and implementing new security technologies and successfully used it at several large global enterprises. Segment Resources: Webcast: https://www.scmagazine.com/cybercast/the-regulatory-landscape-in-2030-what-you-need-to-know Podcast (Enterprise Security Weekly): https://www.scmagazine.com/podcast-segment/11416-the-rise-of-regops-the-need-for-compliance-automation-travis-howerton-esw-313 News/interview: https://www.scmagazine.com/news/generative-ai-not-just-revolutionary-but-evolutionary This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-183

As organizations grow, there comes a time when managing by excel spreadsheets is not longer feasible and accurate data sources, regulations, and risk need to be accurately reflected within Governance, Risk and Compliance (GRC) tools. Reporting to the board must be based upon accurate information. Join us as we discuss the important aspects of forming a GRC program. Segment Resources: Webcast: https://www.scmagazine.com/cybercast/the-regulatory-landscape-in-2030-what-you-need-to-know Podcast (Enterprise Security Weekly): https://www.scmagazine.com/podcast-segment/11416-the-rise-of-regops-the-need-for-compliance-automation-travis-howerton-esw-313 News/interview: https://www.scmagazine.com/news/generative-ai-not-just-revolutionary-but-evolutionary This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-182

We discuss the topic of Human Centric Cybersecurity and the importance of empowering the 'people' aspect of the People, Process, Tech framework. In this conversation we raise the importance of well-being amongst Tech and Cyber leaders and how to keep calm through the chaos to lead our teams well. Also important is diversity in this field and the Holistic approach to cyber, starting with the people/human first aspect. This segment is sponsored by RegScale. Visit https://cisostoriespodcast.com/regscale to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-181

Advisory Boards - helping cybersecurity companies grow is foundational to helping enterprises select best in class tools to protect their environments. If done properly, scaling cybersecurity companies can have a positive global impact on how information is protected and minimizing business disruption. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-180

Many organizations are starting today down the Zero Trust path. Zero Trust is a strategy (vs an architecture) and to prove the value of this investment, we need to start thinking about metrics to demonstrate value. Join us as we discuss some of the metric directions to consider when moving our organizations towards Zero Trust. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-179

The importance of CISO skills/metrics for the board, demonstrating the business value and necessity of good cybersecurity posture, as capabilities the CISO must master to be effective in securing the appropriate investment level. Join us as we discuss interactions with the board and leveraging metrics to show business value. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-178

CISOs must prioritize the intelligent selection of cybersecurity products by considering the total cost of ownership (TCO) and whether point products or platforms are best suited. This includes the costs of deployment and operations for people, processes, and technology, as well as the ongoing maintenance and support of a product. By considering the TCO of various products, CISOs can make more informed decisions and choose the products that will provide the best value for the organization. Choosing a more expensive product with a lower TCO can be a more cost-effective option overall, as these products often require less maintenance and provide better protection against cyber threats. In a market where capital efficiency is a key concern, this is an essential consideration for CISOs. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-177

Data Governance is a key component in protecting the data from different points of view including information security confidentiality, integrity, and availability. There are several standards that have control requirements for Data Governance relating to PCI, HIPAA, and PII, data security and more. Two of the Internal Standards having Data Governance requirements are: GDPR, ISO/IEC 27001:2022 The internal policies pertaining to gathering data, processing data, storing date, and disposal of data storing data, and disposal of data are a concern of information security. These polices also affect but also asset management, It governs who can access what kinds of data and what kinds of data are under governance. This segment is sponsored by Spirion. Visit https://cisostoriespodcast.com/spirion to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-176

Data is the fuel of modern organizations. Data governance ensures the quality of that fuel, as well as ensure its optimal utilization. It ensures that people use and access data appropriately. This value is timely in the face of artificial intelligence offerings whose utility relies on quality data. This segment is sponsored by Spirion. Visit https://cisostoriespodcast.com/spirion to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-175

As technology has enabled high speed access and massive amounts of inexpensive storage, data is being created at a logarithmic hockey-stick pace. Not all this data is important for the organization, however the organization must understand what data is important to run the business. Join us as we discuss this dilemma, with an eye to protecting essential information. Good data governance processes are essential for effective security. This segment is sponsored by Spirion. Visit https://cisostoriespodcast.com/spirion to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-174

Security is both overcooked and underdeveloped at the same time, and we keep doubling down on insanity. Our own community is at great fault for pushing fear and ignoring service, leading to consistent, negative experiences for all other stakeholders in the organization - and ultimately the CISOs themselves. "Do more cyber" never had, does not, and never will lead to better outcomes, yet this is all everyone is talking about. The trifecta of fear (we fear it, we don't understand it, we know we must have it) is used effectively by vendors to drive an ever-increasing wedge into IT budgets, even as the actual utilization ratio of security tools is precipitously low (my estimate is 5%). Frustration abounds, the CISO job is a revolving door, and nobody's happy. Now the regulators are getting involved in all the wrong ways (see the recent SEC action against Tim Brown) - and it's entirely our fault. This segment is sponsored by Spirion. Visit https://cisostoriespodcast.com/spirion to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-173

The terminology of ICS has morphed into OT (Operational Technology) security; however many organizations are lacking in addressing the OT security controls. As some companies talk about air gapping as the primary method of securing OT, the reality is many times true air gapping does not exist. Join us as we discuss why these gaps occur and what needs to be done to secure OT. This segment is sponsored by Arctic Wolf. Visit https://www.cisostoriespodcast.com/arcticwolf to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-172

For manufacturing companies, technology has taken over a good deal of the day-to-day operations occurring on the manufacturing floor. Things like robotics, CNC machines and automated inventory management. There are even systems that track what tools are used, by whom and for how long. This technology often works outside of or flies under the radar of traditional IT processes. For critical infrastructure, we are hooking up legacy systems to larger networks. Industrial control systems, that were never designed to be attached to the Internet, are now exposed to a wide array of new threats and attacks. Aside from those risks, digital sensors can be attached to almost anything these days, making everything "smart". And with the ability for sensors to also be controllers the risks levels are rising quickly. This segment is sponsored by Arctic Wolf. Visit https://www.cisostoriespodcast.com/arcticwolf to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-171

Manufacturing environments rely heavily on Operational Technology (OT) systems – such as industrial control systems, supervisory control, PLCs etc. to manage production processes. Compromises of these networks and systems can have devastating consequences, including: • Production disruptions and downtime • Safety hazards: • Data breaches and intellectual property theft: • Financial losses: Ransomware attacks can cripple operations and demand hefty payments. Manufacturing is a lucrative target for Ransomware. • There is little tolerance for downtime. • Difficulty in managing OT environments (different skillsets) • Increasing connectivity between IT and OT due to digital transformation Incidents such as the well documented Colonial Pipeline attack along with other manufacturing companies like Dole, and Brunswick continue to highlight the growing threat landscape for OT security in manufacturing. This segment is sponsored by Arctic Wolf. Visit https://www.cisostoriespodcast.com/arcticwolf to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-170

The cybersecurity threat landscape is constantly evolving, and experience has shown that everyone and every organization is prone to being breached. How do you prepare for what seems inevitable? You assume breach and plan accordingly. Cyber resilience has become a top priority as organizations figure out how to build a network that can either continue functioning or can recover quickly when faced with cybersecurity attack. This segment is sponsored by Arctic Wolf. Visit https://www.cisostoriespodcast.com/arcticwolf to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-169

Operational Technology (OT) security is concerned with protecting embedded, purpose-built technologies enabling our industrial processes. You also may have heard “adjacent” buzzwords like Internet of Things (IOT) and Fog (like “cloud” but close to the ground). OT security has significant challenges in terms of cost/size/weight, capability, ability to be updated, and robustness (often, OT failures can endanger lives). More recently, as cyber warfare evolves, OT is one of two main attack vectors. This session will explore the threats, and ability to manage them, using war stories. This segment is sponsored by Arctic Wolf. Visit https://www.cisostoriespodcast.com/arcticwolf to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-168

Third-Party Risk Management is essential for safeguarding an organization's assets, reputation, and operations. By identifying, assessing, and managing risks associated with external partners, organizations can enhance their resilience, protect sensitive information, and maintain the trust of stakeholders in an increasingly interconnected business ecosystem. We have seen the threat landscape change in the last few years. It has always been important to properly identify, categorize, and address risks created by our vendors and strategic partners, to now having to understand the entire supply chain, and how interruptions can affect your business. Even more recently, with the rise of Business Email Compromise (BEC), risks may also come from organizations you have no previous relationship or agreements with. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-167

Schneider Electric has over 52,000 suppliers and sells hundreds of thousands of products of which 15,000 would be classified as intelligent products. To address risks stemming from third-party suppliers, and in recognition of the risks posed to customers, we have a holistic approach to value chain security, by implementing security controls at every level (R&D, Design, Manufacturing, Distribution, Staging, Commissioning and Operating). This approach is guided by policies and regulations, continuously evolving to improve our maturity. On the Third-party Cyber posture level, Schneider Electric partners across the industry to raise cybersecurity maturity, with the World Economic Forum (WEF), ISA Global Cybersecurity Alliance (ISAGCA), and Cyber Tech Accord. We specifically have a tiered third-party risk management program which evaluates suppliers through evidenced-based reviews of their secure development processes and cybersecurity posture. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-166

Breaches at software vendors used by many organizations have highlighted the external software supplier risk, requiring organizations to be even more diligent. Join us as we discuss the supply chain issues and their relationship to software supply chain issues and how organizations should approach environment with supplier software risk, geo-political risk, environmental concerns to maintain business resiliency. This segment is sponsored by VISO TRUST. Visit https://cisostoriespodcast.com/visotrust to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-165

With CISA just putting out new “secure by design” guidance, Lexmark CISO Bryan Willett pulls the curtain back on the curtain back on how Lexmark is approaching secure-by-design in its products Lexmark is at the forefront of secure by design as their products constantly touch highly confidential information in regulated industries, along with an established security record validated by IDC, Quocirca, and Bitsight. Bryan talks about the impact of secure by design on hardware manufacturers; the steps his company has taken to secure its products, monitor suppliers, and push updates; and his thoughts on the CISA guidance. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-164

Generative AI security and integrity. This is important to me because it's a cool new commercially available technology that promises efficiency and time savings--and therefore everyone wants to use it without a thorough understanding of how to secure data used with it or correcting model bias introduced through improper governance. The implications, particularly in the healthcare space, are significant where AI-driven care decisions can drift away from optimal care and have the potential to expose significant care gaps. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-163

Responsible use and governance of AI are key issues today, as training data limitations and data retention issues must be addressed. The risk of exposing PII or other confidential data, managing bias, hallucination, misinterpretation risks and other AI considerations are discussed. Fitzgerald, T. 2019. Chapter 4: Emerging Technologies and Trends in CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, 1st Ed, pg 89-125. Fitzgerald, T. CRC Press, Boca Raton, Fl. www.amazon.com/author/toddfitzgerald. This segment is sponsored by Darktrace. Visit https://cisostoriespodcast.com/darktrace to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-162